4 malware families

ZPHP

Also known asZPHP

ZPHP is a threat cluster identified by Proofpoint in June 2023. Proofpoint describes it as conducting fake browser update campaigns leading to NetSupport RAT, with activity ongoing in weekly campaigns. ZPHP is also cited as one of several clusters beyond the TA569 ecosystem using web inject techniques. Proofpoint observed that beginning in June 2024, ZPHP campaigns used a NetSupport configuration with licensee XMLCTL and serial number NSM303008. Proofpoint also reported similarities between ZPHP and UAC-0050, including JavaScript-based delivery mechanisms and overlapping NetSupport configuration, but explicitly stated that this overlap does not prove they are the same actor. No nation-state attribution is provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

29 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics41 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

3 techniques

T1189×2

Drive-by Compromise

T1195×2

Supply Chain Compromise

T1566×2

Phishing

T1566.001

Spearphishing Attachment

T1566.003

Spearphishing via Service

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.001×5

PowerShell

T1059.003

Windows Command Shell

T1059.005

Visual Basic

T1059.007×3

JavaScript

T1204×6

User Execution

T1204.002×2

Malicious File

T1204.004

Malicious Copy and Paste

TA0003

Persistence

2 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0004

Privilege Escalation

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1055

Process Injection

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

TA0005

Stealth

6 techniques

T1027×3

Obfuscated Files or Information

T1027.003

Steganography

T1036

Masquerading

T1055

Process Injection

T1070

Indicator Removal

T1070.004

File Deletion

T1218

System Binary Proxy Execution

T1218.005×5

Mshta

T1497

Virtualization/Sandbox Evasion

T1497.001×2

System Checks

TA0007

Discovery

1 technique

T1497

Virtualization/Sandbox Evasion

T1497.001×2

System Checks

TA0009

Collection

1 technique

T1115×2

Clipboard Data

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1105×3

Ingress Tool Transfer

T1219×2

Remote Access Tools

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

NetSupport RATWhile NetSupport is less commonly observed in Proofpoint campaign data at this time, there are still a handful of threat actors that distribute it as a first-stage payload via email.2Apr 23, 2026

RemcosThe campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.1Mar 25, 2026

Sectop RATThe campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.1Mar 25, 2026

StealCThe campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.1Mar 25, 2026

IOCS

Observables

12 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

12 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

security affairsNews

Jun 19, 2026

14,971 WordPress Sites Cleaned in Global SocGholish Takedown

Threat cluster identified as using web inject campaigns beyond the TA569 ecosystem.

proofpointNews

Jun 17, 2026

Sayonara, SocGholish: Operation Endgame Disrupts Major Cybercrime Operation | Proofpoint US

Threat cluster involved in web-inject campaigns using compromised websites and fake update style delivery.

proofpoint threat insight blogNews

Mar 5, 2025

Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker’s First Choice | Proofpoint US

Activity cluster conducting fake browser update campaigns that deliver NetSupport RAT, and in some cases Lumma Stealer, via compromised websites.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping29

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables12

Domains, IPs, and hashes tied to this actor, refreshed continuously.